github-actions[bot]
d9bc209c76
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
6331 lines
232 KiB
JSON
6331 lines
232 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "8d99a9516adb82d97ce31f13c09b7c0ac13e93f917be99097507c20c4015d17e",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"00140285-b827-4aee-aa09-8113f58a08f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "7ceb2877a0370d94be392bbe6c33df71f2affb01502593a074424860a5bd0b7d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "4286639db44046de50005bd7097512f21e39f2a52cdb8345be584c9ad02e4adc",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Suspended User Account Renewed",
|
|
"sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"0136b315-b566-482f-866c-1d8e2477ba16": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "1f6016205bdd04508b0d8671b2b30a4eb1b8f0fe62aa4024a1d4baf913a02b93",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Process Created with an Elevated Token",
|
|
"sha256": "67b7525831b20322988d48f3e1ee927a32369070f69e1b6c0e4e8239c0c15d6d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"02a4576a-7480-4284-9327-548a806b5e48": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "789be8d5147c605bb71d3b8591d50e528487c9440450bf27e1711d36edb5b5c5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "d2c3a678a60fd16ce4fb4f298b85f64f7c780ee43c088155a54aa3b240a2b62d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"035889c4-2686-4583-a7df-67f89c292f2c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "dd6c1bb700d4b7243352b74d107b1a80d833e0e7803adb9011472cbe673314eb",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"03a514d9-500e-443e-b6a9-72718c548f6c": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Process Launched From Inside A Container",
|
|
"sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"0415f22a-2336-45fa-ba07-618a5942e22c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "5bed0c50445b232e92f1f2e5cb84dcf93e8599342d6337c785948a0eade70419",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "915fd8f02f70d4534fadab29964fe138e115e4032d324f80eeea65e8364adc18",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "542e052f17b733bece1890910265a68070e619b61b65fee4863941d0049a877f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "6c2659629ecf23b93bba53227738008cca52ee9a54d0d0a71181b02a0f189bb5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "46cdc58f49c8ec428ea58ef3fc1f0c2e0d0513e26061021a7d78fb015cf8682f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "24ed5d192e4dfa765cd52b240eb2e3b0db1984cf8fc53acbf42de66858916b46",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"0635c542-1b96-4335-9b47-126582d2c19a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "563fe9eaca1e1e48398b91a676ecfd27746f513a3d504507be7e3fc94327dcdd",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"06568a02-af29-4f20-929c-f3af281e41aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Time Discovery",
|
|
"sha256": "ceef78e29bb12783c4e7bd67ead843022c541b162f4101bf1df4c38009feebbf",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "d24f0107c6c9486ebbfa12707278c3c5a84f775a7051d76bb188178cd97695fb",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "f33a2c60b52132afa19f7d1b04f28a51527e239f2be3d1e0af94cf4dbe0a508b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"074464f9-f30d-4029-8c03-0ed237fffec7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "22f0eca0e14ff81ca6968be97b9be1ac76795d7c7cfcb77c669b486f3feb0490",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "8f5be7d3bda530597080b538417d320e771038574ab9532bf334820643da2012",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"080bc66a-5d56-4d1f-8071-817671716db9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "9f89e10a43049fdd1c7d8cd36c35993b58cfafbbd8d75a91dbad6c55ed9abcac",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
|
|
"sha256": "e1e1fb20c0848c46dbc60d975a90bbafe0f2fa9c3004b103bc67da463de80761",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "0d33a7b572a0b2f6a9fac660cbe0f5023d907c895cdf39f0a6d79f6dc32cec0f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"092b068f-84ac-485d-8a55-7dd9e006715f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "f935fba02086f8be758f3b9489c61f15d8ad949e6d960266f34c6ac2afdc85b6",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "83c1e1e8da61999bc663549fb8e8e0e5efda4785ae7b3e397701d1b57c66d124",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "e7526826870e2810425f96e236661c418fd0b78632279740ea92cfe0edc0de6c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "9595ea9abe7f131ce8ef756327adc42d3e3f68fc866ddb22edd6327ffe22ec32",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "0cdcc5efba4bbbddd11d3637a92be7d075bd2bbd3e8f44698ea7dde40dc77ea1",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel IP Address Indicator Match",
|
|
"sha256": "8533448ed34a4074d575cee79f3284385802efe070d09e2a88bc4fd09b1b347a",
|
|
"type": "threat_match",
|
|
"version": 1
|
|
},
|
|
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "f484d3e00e0c096828790f0301bd66fc0e746ee839f95f372ec694c5057f8d8f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"min_stack_version": "8.5",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Threat Intel Indicator Match",
|
|
"sha256": "92b2fe11e138552116f69ae042966934b52ed36c6cfa6e03831de7f703c68bca",
|
|
"type": "threat_match",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Deprecated - Threat Intel Indicator Match",
|
|
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
|
|
"sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts Involving a User",
|
|
"sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "ee85a3f7c234d44927852d506fca33cfc75eec28452fc15f59a686314d90a7ba",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "957cbc7582e9aa63ba824f1e9d089ba9e08d0811c60b56eaed48becacaa404aa",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "7559300757f955a76e69fde5ed3d0d581ed0b6765514f5edd1dbfd1b4c9ad43d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "RC Script Creation",
|
|
"sha256": "8ff8bb29b78a06c2423fd81d4e1ee96b96a55b848136791f25b4415a0ada11f3",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence Through Run Control Detected",
|
|
"sha256": "0c7ef8700bd8ead580fa9253231e7f6c281076a58c1504a68e9568286421780c",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "11e0bf29e964bfa87c51e81ea74a1e1174e444b2585a44c67e5a7db58fd0391a",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "dcdb5f1a6a492166c0bba63394f40eb43a4f0fb57319848dfbbc3a3578c32443",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "438530899895194781ddc4006fff420bf7523b45906f957871e7dee42abc8543",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "7ae8452448297fae3af27315e9a0cd50e7419f0dec791237656f8859df113c3f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
|
|
"sha256": "e396766823e2a5405b9b406ce2880740eafe1dad906817dad76eab68c55f6ce1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "63bc38efcfec562edc1061756b0342376516b05fa2fb863012a58c668a580f6c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "49a147419adf16d77ef5e0504097c90d75178bcce797e3772af1cd0733f0875d",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "d3059cd402c14f14002ea7323b4fc71ea5c1a815b5531b9b5299b3bf0e3e8e45",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"12051077-0124-4394-9522-8f4f4db1d674": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"128468bf-cab1-4637-99ea-fdf3780a4609": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "1eb30fe67fa0abaee0506c1b7c6670c291135f1d6068853480c1a55653893c67",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "be2beac962529968b937bc8b019d5fd86147ea3a835ac837709352145e20bdfb",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"12cbf709-69e8-4055-94f9-24314385c27e": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "aced9ff9e762b1884af066530083db98a9ccfeb24195d8f89c6344ca22a77d00",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "8492aea09a8f74fb916c4b43d9f9496d4961b84eacddada8e41edc2bab53cf13",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "165d90954e8258658e25a73c27e904aebdfb5c3f0746edae89432e0b251f3559",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "d79f5a924028ce11cb5341db06c539127620d7e597136fb655293a574cf8fb81",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "ccfab492c8adbc45331067fb58cb3959c360d967505ff0d7ffeaa1323868d37d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "2b3001e30acc01d9f64cf5554b3ca2ea3e9bcb22df0ef756717434b46b95919d",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "9ab2deeaf3638f10af0ec2ca4a3c89ea6ad2ec7db4d2ff2a51279145b5a60995",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "17c01410a2573124cf140a518366b8a585209a201bfee33b5f7d855fa9b07e2c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "2ba2deb5cd5e080ab5084bcd5a91402553f04f43ce0dc8e89e9b0ea0723b58e7",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"15dacaa0-5b90-466b-acab-63435a59701a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "44f9d9a8dd21e71fd622520c48dee8e34a6385a00233d02159d3b6ea627c995c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"166727ab-6768-4e26-b80c-948b228ffc06": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Creation Time Changed",
|
|
"sha256": "a13ea0c57c34bf29a26117cd89ad3d1760dedb9b4fa54adcc0eee079fa605f83",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"16904215-2c95-4ac8-bf5c-12354e047192": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "0892038cb6c2617c76c01133337736a9dc13f00858043d1d47a26093d59fd670",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"16a52c14-7883-47af-8745-9357803f0d4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "e3946cad4be97cacd6eae1721271b99d75c06e1af3701bbb7aacb41fe100a1d2",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "da818e423eb85083fbcbe6984e8f3a75595575cfe82ec3d62e8a531eb3627fad",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "fff16af718cd9ffae3845fb7daad7562efcd57c71784ae10ed3b7b458a9107c1",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "ff1fa0b30a31a711cdc799b98e3e33a6941b35265488642c8aa915e3c21f0154",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "3895aa490f18fe5c408b47123198b36f74c34e00ff47968814da0ff89e19a4a6",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "8c8018eb635fd964b7430b8124f9a03577ac17f143c87d56a9222e575a052e4c",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "8266a1b8aa08d10d5a6152680285c505e74d47f6eb0b5130ccfb482b597be1b5",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "New Systemd Service Created by Previously Unknown Process",
|
|
"sha256": "821af40f1849e4b35c093ac6e5fd204480f2c95bf6d36491978d7ab00b45bec0",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution - Short Program Name",
|
|
"sha256": "4c9a388305e9621eed68d980fcce6855e5f5767e644a8eb5119e694f924847f9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "d11d221471750536a9a97aee505829b9e7901d9b98e601a6e934d045991a364c",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "0b677c45dc16ebe1b9892935012d7b471f6ba00dd9ca2a5f6762e7fc9f6b9db0",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Suspicious Network Tool Launched Inside A Container",
|
|
"sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "bb578f3e1d24bdb4b2416fa51a933ce19fe9ccf405b52123fb1cb4bb511610b1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "e544e513edc167ed6b2f43ccdec0ecb083ad0e80d51ede5803386ca3651e9eb6",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "ebe2157d2be3dec7bdb644d51a8e5563886c3037dce4f3ba3b44802e8a515f80",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
|
|
"sha256": "d04dc98fb22e15f098a76788b675edc49e4bf499983adbf70710640742a10eac",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "09705ab2ee66850492028c8fd86ed71afce32f932312e1453b6886d0c9e95fa6",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "fd9c5690985b7c83672b0f08e298045ca247f83559a1a858a5b4752308f6bed9",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1d276579-3380-4095-ad38-e596a01bc64f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "94b1f780ffc9a1e13fabd97046085a02068f9f236c4655443b571fedaf8b3c40",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "88344077479fe7a92e02d7ed80dd61d1733d35872c4b32300f7c75ce99e0e74e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
|
|
"sha256": "93b7e7fac1d5e02c02a55442180144d8208388b91747001d093b52acb138f3ab",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "399683cb8a7541296d941d6618de6a1d2337c04d2e684ad1dc1972353e1de5c2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Suspicious Inter-Process Communication via Outlook",
|
|
"sha256": "b29c7d6e24c565eee5866f5af3a82ec494cc73979d164aa505e18b899295dc13",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "6cd196b7a97a8f6c1d768209ed9210b64b27f19aa8d565661ab20aa0f41d779c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "bca7fecf19183cd732a99c75e2ad7e1c24b4b68d6b0c9d139c52cb90c3883707",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
|
|
"sha256": "f4f1855c3d07e066c8d74169deb4309f645c762486e6f46f41a449a5f1ba8d31",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "cd7269a5ce602d12ff69bfe2289d0777a0e9fda7421a49fdd26876b6cee74963",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "f510867b1dd612ee31f4ed99ee090e6cc0806950251ecf15121b5456971ed514",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "e985eb9816fbebe3599feb87b715f34c43f15a76293dc8ebefa29e0d5b6a7e3f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "9a42d53d5a21a54a4ab03b5e096f23a5c2f253ee8cfa8eb8582b68d0cecd3010",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "670dd0c9b2c28c3401cdd4c2b4f0f6e5a071084a45af151cff15482da623680e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access of Stored Browser Credentials",
|
|
"sha256": "35234173d5b9d4718749b086304cb9d676b2ece095386c7e288c7f5b229ef241",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "1c23cc9b4544d51bbbd10ce33e915cb6276bf71aeedc24400651d0995cb17dcc",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
|
|
"sha256": "ec8d63e382350e56393f2ddda05cf6e288ce88da4ee9c9d5976adaff99779885",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "19ec6a6a0896ae50d8ef759a3f9583c21b1365d0018106a5e0e0d688c0654f86",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "50288c67d08a85066d487dc1bfa5f383349b562b3320be4b185d22d4ef2cc876",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"22599847-5d13-48cb-8872-5796fee8692b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "ab7404ca7d6b35763ff36170fef47dcca626b1485be92ad0740e5510531bef00",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel module load via insmod",
|
|
"sha256": "3230f6862ca7942199fb112659d899430fc1f392287340947964a157ab375492",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "0b15540e1cf3135d70aaebeb44cd8b9611082ce65c7ceb3da995764c1da3f64f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "00a292de5d79ed61455a5054641d763aa07e5dfa9bd3b4ce12a8771ac4349411",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
|
"sha256": "f45fdc170e91f37235ae1357d1612e1372586f8b503693d00740193525ed36df",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"26edba02-6979-4bce-920a-70b080a7be81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "6034810ddf957379536be3d43d1d1f5868b60b212e1e0224b1347552764b3240",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"272a6484-2663-46db-a532-ef734bf9a796": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2772264c-6fb9-4d9d-9014-b416eed21254": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "f96041c4a051d8bc206063cccec4c36ba921d0212c5d724572623af7ae44c6f9",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "4e81da588d72ce375e5c9d046ebc2d09776070111a26ad970d2a12b048741c4d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "421b6d4b08c0d4f3bbe75d35977673e821d543f468f6a2a7d847bd2eca7c5a33",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "2cd4ef3408eed788d9622c7de25f23314bbe10bbc4d7cfeb94d651618911ad94",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"28738f9f-7427-4d23-bc69-756708b5f624": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious File Changes Activity Detected",
|
|
"sha256": "d4f6e38433ee840988ea690bc217d0c04ff099fc5e183146a176b8d77ec750a8",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Security Group Configuration Change Detection",
|
|
"sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"290aca65-e94d-403b-ba0f-62f320e63f51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "181901c752e8e7635e1500c27e50132811a64005156e75d5e599f3fc3e1aa33d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2917d495-59bd-4250-b395-c29409b76086": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "c491a97447ad88905464a5b08d67ea3d21cdcc34301ff855f7bb8be2a30b8c8c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "ac1d0b24c8b4fdd50c135a7ecd4193f9584cb7fdc8d82531c70122b5826e9a5c",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Discovery via Grep",
|
|
"sha256": "d1ab09bbfe775bdbf5f46ddfa00ee77ebaeb9c8e95e41007c1d584ef9e9d91fb",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "7ca0b1c215fd41e090bfe76124918f2469edb27a5b908f850479646379268a1f",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "fe321f5fa2f5c624874ecd66cd88b4a28ae51c98a4c853fa56df88a076db045d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "a13260284beaf73ffd9e03b97a7dbc44b47b6698d9c0e7fab41b60751c153e17",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "4b0264a513359d05b99ad58d22080e4a27d8a180acd51c3a29b5a0762338548b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2dd480be-1263-4d9c-8672-172928f6789a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2de10e77-c144-4e69-afb7-344e7127abd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "6bbeaa26cdd427d0a628c899b4f643da7efd6be92918fc554a679d294bf1e136",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "c66ac99c527d9ce3a571674a8427fc145e236e7704adb15cb5ba3a9746db5957",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "b3d25fdf38184ccbc533bdd668d051180f53b7d0c949a2ce67bb64116298e817",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "58530124be115763c6110e3c32f34e5fc8c70fa063e74e97252e3dcccc45a1f0",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "09e550845fb86206a91ec5d634e2a5427e344a491c0c76e59a66b6f4a4d4f99e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "6e26beebe37e253940cae2bdff3afe8ee83ba7b02233dd15836064bf39c628df",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "a2b5ab3826b1cde02a575c82b7104c9c83c01df0d94e55c0eebef57c5ea292bc",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "018cd94848cb4fe2b823573ca90addd46f7d11c6846367ce77057e16348d8181",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "98c901ae5e94affee20ba28310355c2fe120f82d9f2b15408ee034c7f1c48656",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "2922c5af881ac324c921bac57370a6c0fe4a370f396f73294ece99e681f6624b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Timestomping using Touch Command",
|
|
"sha256": "ff7198e3ae00ec17b015d5caef7bf6f51b3b3307706d52a2c796961917e3f4a7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "394278b77c3a54380ee197c9763706f2e530452d5b564a4c0d6b14137d57f87e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "e139026fbd34c9525711ed72b88a81109c225feb7a1a0a41785dfe0ad88a5929",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "227dd024cb116e5788d4d57bb5a4470e236eb0c932548930d13a6a5ead304cf0",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "898a7167c8dfc155008b0e6d6ffab05c9635c1a5dc338425e37a8394c8aafd29",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "1659091d6dbe28ced2ef8913bc04782e4d1d8d625937e952813963be6f20788b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Discovery via Find",
|
|
"sha256": "bca338c4bb301ac4191c10df0d7d041b6f9c0ab26d5dba224b2b9994cd5df038",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "4f0261a509340ce697cae18ff363cd65e6ae445d0e14205b621692ca69c11821",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Accepted Default Telnet Port Connection",
|
|
"sha256": "6fde829b7083578ace3bcf3cb7d8c73a7cc94241c0a398fbc0d6b2ccf1f46505",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "4e4f1ca5dbc0514454d1a3115a8b68dd8714436f18a31c634c4a789cc553c02f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "eb18cc9f3ce0afd24d48731362479b2f44e2f2cf86318748a3d7e3a05b6796a5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "5d218c23d7890651426cbf9d2bf0c45a9f1035b9c7e58cbebf940d056a646cc0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "5ef2c3108854bbd6066179b046631ae86b850a69f8d2a3758c16720357c06740",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"3688577a-d196-11ec-90b0-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "aaa90bcbfc34f0d20adea2737bc7e8d8381dda457a88edec1d14211844c480e9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "37453c357380c78e1e35d3ef7cd1ff4b43d6f243dbb71efe30a8986f1f0e57db",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"37994bca-0611-4500-ab67-5588afe73b77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory High Risk Sign-in",
|
|
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"37f638ea-909d-4f94-9248-edd21e4a9906": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "31590edf65e0763ba73b2ebdc09e3272e3badc15ce32c829d4f4a53e218121a6",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "f16286e6548fd50dc0963524caabc29e0519da1d2134e7c6d53509b7c65ee776",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "2f7363e01086d9f4d428dc64bde673731ae3d446bad5b94bec779ce3a11af01e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Prompt for Credentials with OSASCRIPT",
|
|
"sha256": "f4ebaabdcfd8a2ce59c681dbb38e19a4f3030e555275b36870f1703bd1580f23",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "External User Added to Google Workspace Group",
|
|
"sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "d83d1ac6277a6eaacc4f866a0eac0673353c65dcf22f8d35d152a967a40f742a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "8801895ac0c1b68b260b0d8422f6724ea00f543e7aa39a1a69780f664f6831fd",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Module Loaded by LSASS",
|
|
"sha256": "e16c76578c008d7a696df092cfe1776eb2f3df55ff2a35184d5298eb5ce4bff3",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "8f53e51eb2a5c859ac8b9ef07768ea5f88dffcedf562c1d7af115e6069362b0b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "43bc73a5cbc5ccf4e81390755489787a2abc83ecabb1d94666471e4082fdd0a3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "be0b2cae97d0fd4aca13ecba80068c7e27a64fae66f1e379e4f2bb52d204a001",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "fa2a1bbbfe839717cabfe81b4b36724ec1b661978cffd4ebbf1ccc22e8e3bdc9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "662687e1f7d20fac26fc72478041a257548c1358dde6abd89f1644bd3beb6db4",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "d5653b06aa153de878d68e0d4877114f1db044699f6efc662c28c2edf00e05c1",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3e3d15c6-1509-479a-b125-21718372157e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "cb785e78ef17bb9fecba8feaa1452d0e360ffe43df2a42b01f8bfdf10a07bdeb",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "1d38fe3a6b6728235b1976aae635ea5a8c3be4a190dec4816b3e72876b47ef20",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "7cb2b7500b86c37fa3f51926431b8f44f6c119d48cf37e143cfa176f9facadb8",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "d864c81705b90eda8f509178fdd93a918d5d23bf207160ac4eef1159233974e1",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "6e342c34082378117af6062c21081f4890c9f474b9bf2535f076146b36eba238",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "11848877fcd9b9ef07ebeac7ede4a77295a421fd6f43e1a8430de2c4548779da",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"416697ae-e468-4093-a93d-59661fa619ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "7794555c370acf5d08defaba53b918d5f62e76ea2fa3a6dfb11200a6bbec54c8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "b50833e1d316bfb4a9c66c4a5f221aa2fc388faee9c8c1deda871265667bb892",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "76cca014bd08c8c800723f0f5ca9a7aab9b28188e98276e8ea79f35bbdc25810",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Interactive Exec Command Launched Against A Running Container",
|
|
"sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "e29cafa24676a3648219a3c050f1b272648742a58d251193bd90eb54d3389a7b",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"42eeee3d-947f-46d3-a14d-7036b962c266": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "ede0c21a7bcb75d8f44e0d0a869533c261bd3c91323dd5eef691534aefb54675",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "1683c7052a6db82a42f09fdf1a32ec1aeb6bd1143def14c2721ce2b8677ffe60",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux User Added to Privileged Group",
|
|
"sha256": "3d2d8fb898982fb827a99f647f7ecc550e8a22d611b0a294b4c18ae4613e1ca4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "b3b42571b54fe50ab271727f9ffd766fb6b88c7412f860c8b7e9cb26d061b6c1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "39abe1c071ae890bba8df275d7f3f3d3b9ca47ef7bb5ff24f498494f444f6c36",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "099a172ef4590e40ac82c92b5a99f53ac755bc20da2a48b0d55b05a84e594d52",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "223843bf80e272f189bee419979e4fcda5a2022bcf2c5c1f15706307e1f98fb1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "841e18ac7c1e4cc6d98cdc33d34094f042f009d80854bb649f2de577141ba843",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "545b3881a188e56e732bb7ed1030f96a36bf679fcf522a9dc2929c70e20d5373",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "6bce8cfd9391dfe017c48b44fa48aba5421f35cf7926d45d3edc8e93b38302ee",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "2804d2927348f3270cce9e15fc6ab7010b895fb9f705eba1075bc91171cc2442",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "462756099c1d370d02e60bee6f94057e278eb551f5321b6c2a186a8dc0fb5c74",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Persistence Through init.d Detected",
|
|
"sha256": "2dd26c40b96bbe91311da08f90fb2d0372f9329d65674f386e162ae1ba9c1e0f",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Sensitive Files Compression Inside A Container",
|
|
"sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "5c400174c733b48a59cb568595f1b992705473fc85698c48a5006a770c99ddb6",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"47f76567-d58a-4fed-b32b-21f571e28910": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "2e616e5d39c50f2148b85f637589887079741f9ce262dea5c070365f8f70e757",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "30564156b340fc2226149906e94b475aacd80973cbed89d019ccd4738da6eca4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"48b6edfc-079d-4907-b43c-baffa243270d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "1ffc6db4a92f04db97e68bfd6a7d7ce6b90f4b4ca3accb51924be0ed5ebbcd9e",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "a7335279197f678eb603fc664437bf326124d49494bbc192a6a2e5863f978e64",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "9072b7f6b45eaf539a2c6db0f473a172c3084f2e9d16c724c77a9c74fa9217ed",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"493834ca-f861-414c-8602-150d5505b777": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Backdoor User Account Creation",
|
|
"sha256": "2ed0b4c7940323b5e306bb0926dd10643bf3e50f4c3801d32ba08f984eda8b39",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "4fbdf3bd4ba58ab5558059d13784148c40f700fc0726f9df2b88d02dcd301625",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "8f8c69d22ef29bea0f4a731d3ca618ee943b897c187906816547f31062a31834",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Container Workload Protection",
|
|
"sha256": "7dc1df259f2559b82c60fd64135e3a8b31538897e166eb5e423a3487b860e4d7",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "6046c386a3d23ef89f0dc7f9ed396faf2d2ee6539194b4b9cbcbe8103e5be87b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "c39e8202c6aa104cacdbd7f152f22e19bf2a5e6da299ab44464663d93c2175e1",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "255e34c99602083f8e6f8d1f5d6b8695f05ff159ed157fef12aed4d10227140f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "6d9dfac6827d13a4a4e4b130bc8cc6df711d0edee0b129f8faad566fd804c980",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "757d9270f22b3d376359ff570598911b4adcd81a9ca69970386248e414f5ba13",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"4ec47004-b34a-42e6-8003-376a123ea447": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Spawned from MOTD Detected",
|
|
"sha256": "a2b42db263fedff180886bc6f890a5216b1b8ba823f090a4b9a7f1a189724034",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "3e467545fdbd87088d7f1ec06580ea425fd63592c2c087fa3fedb85f55cae7c2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "0218289069fce2ea346bf5903576459aee3ecd7272296bcda6a50d1ea36bfc0f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "24b7130060c37c665c0d974647f1600fed134da5ef1856a958048b1de7a7094d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"4fe9d835-40e1-452d-8230-17c147cafad8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "1433ced29676c5dba9e9684b963040f135c2b99b2dec232da565e0bd54f7def7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "462120945eb319e16807d91e4c93127aa9b45f4125145216908cf4278046cf9e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"514121ce-c7b6-474a-8237-68ff71672379": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "bc228e3719e4df077aafd4ccc33183d2f80ca6cc4d17e0ffdc6c600c9c2d89c7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"52376a86-ee86-4967-97ae-1a05f55816f0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "29790b0b2d6e35dffcb37b29b2d5cb4d22b7d35cd064e746deef921d52db47f7",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "610ae6296cd7bac101db0fcc7d13d90d6f6b46544fea9b2076e8cf77e3b8c3d8",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "5b89fb01810c6db3b8a1147047375335c81e24edac29f14fc21f7ea87d951bd5",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"530178da-92ea-43ce-94c2-8877a826783d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "e0907427a1a638c778263d67e892b60dcfe3015c0bcde606e680e1ba32d3eb56",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
|
|
"sha256": "cc2b8ad9a1c68c231ac8da4148a361fff3e24137602de968abb2415576051a04",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "bf69537bffa3f7ebf40aa6fc63c17ccb2621dbea75cdfa4b5cb969e9f2019bf4",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "b19ffc31d50674b624f05eb378e38a7244c641ec4aba6da331eb8dc385f40137",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"54a81f68-5f2a-421e-8eed-f888278bb712": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "aa1f0400a175342c62602b8c06f2378269907642bac386944b26039616a35b69",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "12594aa99dbeb7d4711290476226bd673a53fc550d41dea6ceaaa9c81ebdbeb7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "bb2c6c314a9f328d7f500d24c4a54ed4f6aca50ffe834082341a97d3659c9902",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "b7d0c5a85ebe47a9169c95e326c88682024006e74412c6b22098fb8ef46f0269",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "602c658a04190e27d27abced9d3265d8025a5a5173c8381cdaf432a69eef80ff",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"565c2b44-7a21-4818-955f-8d4737967d2e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "b504ffef97b6f91e0b46273f785ab363e3a06e6d008ad129e82a95d2beb77525",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"565d6ca5-75ba-4c82-9b13-add25353471c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "e2fc55eb8ba6bb42bb983a9ea007da12e49980b858ffcee6ddcf971a63bb824f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "443cf0180678565fae6aab3fde53464a3fc6f6161ae2be250b2f29d08e3b1071",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "fc21ee6cbf503c5e838516bdf20bde527a4de6a5d7b855d0af74f506caebf4d7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "dd1d2bea2a77074d95a5cb954bac84a5931dfa69391613cb54de8fd114d134cd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "c0d675ffa38a191db718cef276121a40567626d3b4c0fea4dd9edd038d2d216d",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "b61566457439230d2e647b027e9c3b1921003527490e3fc50091e16faa895490",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "29078352bc699df5b5ecfa39cece91616abc3ce7dce5685f3018a5d36d993b1c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "98a47d996a6d80939cb7222d643873b69ba45d90457a2cc0724ea08c3a889bbd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "881f07e561874d1056d20463f9b92b77aa2c29296314493e05a09bbe3ea158b7",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "b5eef6f5f7e0633f51cedc194fe8da44dbcbff73ebcd5b7710afdd3fb05c92db",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"5930658c-2107-4afc-91af-e0e55b7f7184": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux User Discovery Activity",
|
|
"sha256": "2603532db2ec7f4eb19bf3e56af6de11bd18e886e06bbbda558564297ff1a3b9",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "7dbc7a06b1b2db26b7a189680f02c00f57788ad7e4bc04e5a9fbf29bd04f72a3",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "d6e7f1842bfbbd2cbf6f3ad6696715458b5ccf7890973a846baf5b037efce1b8",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "46d754423faa24e0215c936a7ab785ba65d78e76622df16986de8b177f6a11f7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "c0f597645e46e5adf3b6ba6589d0e2eac85f4257fd4bc2d92ef9c25e0f8138ab",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "d221b1a29c592330cced6fc124666e5eafb909db075ae2fe4f376b0b70303277",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "FirstTime Seen Account Performing DCSync",
|
|
"sha256": "1598834dea3c930d3ed6921400b6ecf38172a83ddbdc45cfc874a1ccf4d183c6",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "ff995198579b5bf65e6e45dca890068241b412c9b485ed2195047faa8e49b2a2",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Defense Evasion via PRoot",
|
|
"sha256": "bc6703e631f2bf3b6b6463f3c5db2078097ee52a576dabc76d5b8d27af7b2666",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "9093ad075028d5d084f5a7dd40d75ac92d0cd8bb904b285b1e7a63384a8adbef",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added to Privileged Group",
|
|
"sha256": "3d850464bad4437221f6f350a9c2e8a26592a38e76229d1756195368d05aab2c",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "4837861731a429112d4f65eda3208a3dab65384aab3ad3e2431077db1a073938",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "34df46303c9e7997ef62d9d9dad16c537e0382074012a9897609b4d7b7dc79d0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "658d4849d64b0be609077e96af29161032abf882fede376f4e34b581dc466e89",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "1cdf6f9b6e7e844755f615e62f4371b305fbd015896ef21231f2082eee15d7a1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5e161522-2545-11ed-ac47-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"5e552599-ddec-4e14-bad1-28aa42404388": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Service Principal Addition",
|
|
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "cf2dddf2a16c9ae7bf4a58ad60d72fbcf0c42c485c4d15dd84b29738f57fe846",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"61ac3638-40a3-44b2-855a-985636ca985e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "444b3f596cebb926a06080e3e7727993719f9de92750e7eb7c05639a7692e16c",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "71e064cd3cf1b8dec498d3e054d70ef2121113be1ed24c7e7df6af3b4324f27e",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "0591fc24c5321e8518676992fcf13ffff7c42eec2c2f268a4a4fb9f69cd3548d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "4878a18822a0f4ab3c6536a39b0055899b9fa296cc1629aa3d8a99d767235d30",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"63c05204-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
|
|
"sha256": "50e22b963b23fb875f4790d08f86ff42ef3c0647bb9ea73d6230249f92d02ec3",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"63c056a0-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Denied Service Account Request",
|
|
"sha256": "0d948643de064e41761d52de2aea9c64ef42324b59c2d35ab8ccd34d42d83d7c",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"63c057cc-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Anonymous Request Authorized",
|
|
"sha256": "9b17ca3824cda21b35d9b9ddb4a1bee94a6342ac24e00b513c0fea2383448380",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "808861119a9ee8f4cbf046407cc88cce8871bb136a3c5530f247947bb822a8b5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "b8d88bdfed4546ac4b1afc3b6e9064317723865869497016351555ee65fc4d30",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "58759da1398f2ed9cdac6205374371b42f04208ef47f7a0bbe4ac2c72a1cfabd",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"65f9bccd-510b-40df-8263-334f03174fed": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "a392535f193c9bb4f607ca018da754d0d2fe756881ddd68726caccca6568ce2a",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "5093be776a67dab45f4c4a0706097b9791adf1d83baf0ad769eb4ade82ff2ce6",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6641a5af-fb7e-487a-adc4-9e6503365318": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Termination of ESXI Process",
|
|
"sha256": "eba9ff289eeaccf5c48be51e4277e164148f4cc363403c23c8a944105c5aaf75",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "865169a089484f51565d466f20d7f4b3ddffb231482b928744491443df76f14f",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "ec37df4c6f03fe29ed01e7a16033cfb75e5001cd753dc1cd5736f4852c5cd383",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "1a07690edbfaa9211bdc2ac3529fb6b105432896aa9ec206d890ede13296808a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "9546181bdfa5b6f04cab84f0ff7afdbbb59ef9ddeaf7ec7bd070a1808324473d",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "8d5901f783e0ed426c9974f7beb69101e06018a4e7a33c12e00d05ff54f7e9b0",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "64954cc7a56a7f76e7090ca4458fd30e0ec00bfb1546181618645ea74c0407c5",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "2f7bfcd5121da1321ec96a27333dcd7da86d0ec12827922338b4642913d43c93",
|
|
"type": "threshold",
|
|
"version": 106
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6839c821-011d-43bd-bd5b-acff00257226": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "b0942dece4470a3a4214710744a3644d6cd9c2cba5dffc7c127a4ec0afa410e5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
|
|
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "9fda9c755ae15eed8281324dc8a228df993846b9c81ad1abb78f73a49fc3a4ba",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55",
|
|
"type": "query",
|
|
"version": 105
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "11571b02dbf13391f8338064acec92510a657c042b35320fafaadb58530580e2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "954b6ed90ec4f7af289e6f435b8dd6a49b37610ee7b3e5f3a6cf03577d36ce32",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
|
"sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"min_stack_version": "8.5",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "f2d4dda1642f078dcb77b698976c25ba557553c259a493e3a18224bfbbf36a96",
|
|
"type": "threat_match",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "f70f107119f141d8886f8a58ff6926687b51d66bc69ace2184cea66cb35a4505",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "69744da394abbc6a420858ceef7709e3ccdcf93bb437785b882d1cd603d183bf",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6aace640-e631-4870-ba8e-5fdda09325db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "c186ae5be53627a390060dc7dd2a22a18069877ca0c0bc0248829fa440255d16",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "a860595ed44bc686650e020e8d1057d9f6ddc0d630c93e00ea6e46d1be39ecc6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "9c708ef814d11a565cabbe622c71aae461be77b7d77f10a3c610e006d77f45e1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Container Management Utility Run Inside A Container",
|
|
"sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "56916bd068b8dcbadec79d7490e229298f77373768b4e5e51e15238e2ee4b1e2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "d44ed1811f078ea61839ba39bf1a8ce428be8c5c1d788c67ad4f206bbffa35a7",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
},
|
|
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
|
|
"sha256": "2f3f2a58ed1cbd3765a1717b60e4a0dfd22b951cd53a4189a56ccb89cc16d1bc",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "1484f20db62296695ce5b6744204ac294e46fd18766e5ffa5f78a965d3e5c4b1",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "c6d5f04ccbfb426d106eb3b03f1f20727722e4632689aec4bc9fc11edb28bc83",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "9b725c04649063372e0ac70bb4088c61988f3e2cb138afd2c021149e86cf14ab",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "5bbe98c1d1b136bf1b82b43f6359cbcbb0efbcfa7070b99c6c4b20995dc43b5c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "bb303be8adafd9d55d77ca503b8d38da926f936efaf9e270e931cf32d7a00563",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "717f008f47d29da3f5b1b63ba46687d10990276feb6c268c9dfa2023ea521904",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "8ad6ea6c95511bfda4e9acb0d6aba65b2b806a6b61705ad2074ca3d5c1a6a066",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"7164081a-3930-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
|
|
"sha256": "bf6e413b1a7554ae0a50a51c3ffd97289d9c856bfa37a5bbd049676b408e9b78",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "92da433ebfb2177c7b51819eebbe61957a72ff556cb3ded55d826a7fc9d45913",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"71bccb61-e19b-452f-b104-79a60e546a95": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "e52eed9c8cd5496c5c1c20e815e74393fb74456306252edb79633e1e3618cf8a",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "ed42c0fb2d21cc54e22a7d89aa2d288c8f65e5838f53f8d4f70610fed30dfd4f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "589ed370382005f679784080b48032cb270e5ec62367be040705713df506d42b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "f0075154901353040f0326fe7ce86389aa8eec62b61bea6a4ed774ef5e7aa6d1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Environment Variable via Launchctl",
|
|
"sha256": "b03d27db98d1c22fc0e332c42a4547f7fff8937be12ad0060c54d80b1a69b6e2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"745b0119-0560-43ba-860a-7235dd8cee8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "ab13305ff4ac6941cefb428e1de108a8c5c97f0d11cf5074464593477c59fdf3",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "82fc5b2b1b1c75dda5d968ac3522eeea25437fc6095b9a28e893febe014978a7",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"76152ca1-71d0-4003-9e37-0983e12832da": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "45be8d8fcc5440e8400f3b3736a93cdfaac250ae4b777dd232d908a245e74058",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"764c8437-a581-4537-8060-1fdb0e92c92d": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "eb3c017dfadc69b9ca322bd0fa4ac6795b89d7c3ac31f0050aa79171995b9df2",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "1d6d7f0f4498f6d1b8c8289faf2ee642bb37d201d14ca66b9143b351f12f136a",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "6f7d21d296794e815a629299d0e7bc2c4287ff94a2a07e0c94f22e6660fd00e5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "d839f2d7fbce2eec0bc89c413ad6e482595c60d724f25203e08424a6fd768cd2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "c42d3d5e793948cf2619446bd13d2f526e54d1e6cbf9d36889e28c829b865cd1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "50e1096e383732d4bfbbc05cb6ebc3c141541607bc81c2fcf6165e864af53e50",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "80710ac325d0c53b1d15965386e8fbb32e1c4aace237b63664d9f4db8f7f815d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "8cd2d319c3195887156eb5af83cacb38617e98e24fa81bfa46ad105177757464",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Unsigned DLL Loaded by Svchost",
|
|
"sha256": "31e050673ec47baf5a08c2e334565177b404ce43c1f9ff82d5776a62d20ec295",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Exfiltration via Certreq",
|
|
"sha256": "e10b6b4454dd1b73e63fa0c9dc9a1928b6914f51f7b570e674bfc5f40050d590",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "4ac2004e028233a74da95a3da67e70091128c58db82ac8df61b7cdbc9b564671",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"rule_name": "File and Directory Discovery",
|
|
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "4a75185148b0f025912e9ecc19ed722f7a025f359e7b93fd8b65afbe41365a1e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "29e6369ddb5da23c00355cf063d8da8f8dc008a9cd28b2d2f6324d8b9618c53a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Tampering of Bash Command-Line History",
|
|
"sha256": "df93fe3408b4a9c843b5522860505e6ec82f96abb08fa0881ad1e46e027b0c38",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "5657cd8ac5f0c4e6ae8f8bfd17d420d2fc7893a478c3cf4c06c28941e2106614",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "New Systemd Timer Created",
|
|
"sha256": "b730569109f3ddc95ddc2776f456c9cff30e3f2bb0834d2a5548ea3c3713263f",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"80084fa9-8677-4453-8680-b891d3c0c778": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Kernel Modules via Proc",
|
|
"sha256": "85407f5506904f8e8283e034a04965db0ab6ea86ce1ef257b575653b6cae7362",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "6e9418d6a76d5b3bd4aae888d33160f13b9b71a18647ab577689746982587651",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "0dbd2d102b454f0abdb7f1d0be19cbee64db8c5429aee66b1cc09dc125766d6b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "0e79e3691650f83b5f187e3bd292dcdbd41e4473d31f3ed524309ef749c1da08",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "fa54a081102c0003f3ea830b25817681f92f9e78912fc5ef16fd9978f44fb682",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "82f8ec9cc22e111eb627de7426fd99dd540938ed1e0d05473496ea18b54c3cea",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "eaa33048144c193d9ab95f5e9773af65d5f9eabcfe8188abe417c7d6d38009cc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "3416e2bf5ca7daf2a45db0247015f02bf59791f7b972b4fdc8acf9dbe9ea6719",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "a76bd349ce4d13a5d025dde2db7691bee20d9da2c53a9ff32f6b426b6148bdd7",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "39e4e96b86604efb80925d0bfa1da0279899664119aaa5b392a2cc165a2a20c7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "bc53d1dbba1010446ca85bd7500870ce3bde0884a67804fc35db83bef33069ff",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"870aecc0-cea4-4110-af3f-e02e9b373655": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "3ab8e36e47dd61b440cd8084f355afbb348f444f9f3ca559609ea4fbfad4f968",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"871ea072-1b71-4def-b016-6278b505138d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "8a3f98f76ff448f3696197c61f3d7473e0997ec6c9f145b7f140e1040ac7589d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"88671231-6626-4e1b-abb7-6e361a171fbb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"88817a33-60d3-411f-ba79-7c905d865b2a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "9513ee2f3181086efc60d05ee0bf42d67f78fe20ecf2d92352b2f3765ff58bd3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "deac5774bed6bfdc77e63f9f2e6b5688261dd238664bc00cebb4d22a72c4d4cf",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "7012f85734fadef531a81f65a790a31a85fe7dd6c4ef6bec17a7a9ea1ede1283",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "a96de0fddbb5b4535329405dcc102eca10762785ad1cc6d6d2bafc48185d5df8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "aa33ded72a34a56408c07f9dbdabdc13acfe4c609c4fec7f48f093a82fb5a249",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Setuid / Setgid Bit Set via chmod",
|
|
"sha256": "89de3007f94235a74251ec78230a1612aa41751a62318782c36137e848ab2227",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "3e21ffcd1f9b36bb1daee50d26cf91acd10b7f1c10b9c8f1f27279bf32b572e1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "5ce18d919b378e1bacbb6503c08bbe1aafb42ba998938041cc0654e2a7820d54",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious JAVA Child Process",
|
|
"sha256": "35097b6f0b3c4dc111e03896083a67d44d75afde8cef52b695fcfc833c2d8bf1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "aafb76a9f8863d5a85c14adaf0ec53cb6bba634b39475f407befad5b94eca10e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "b3147152ceab5d19b1a308b040c5a3ae31cfb7ffcde3d9564621da5102d49685",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "f01d3cc4a46b406a142212026fbac6666713fd7a0cfb377025089371471c7721",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "a07d9dd17ccc1fb4611d130132783f98500b2210fa94d6d6687f26ccc7a8a3e5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "a086a430a5246d5504575c3ead307579d1361febfb0f60c35f89ee47736cbafc",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "c9bb739724755a7a6e1cbec08548874af36827e590163f7d6e0ff83b215c2fad",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Password Guessing",
|
|
"sha256": "cdf197aac53bebddcf87f917dd2a37e795c2187adac142d96c83f91ae832a7de",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"8d3d0794-c776-476b-8674-ee2e685f6470": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
|
|
"sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "f0bc49fb3356877692242e841428e75c2a7f3e6a4b19b016e0bfea992325700d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "da330e831040cfb41f8e1dbe7ca597ff279047526226be556531a0ff6c01d85a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "79fa833139dcdd970fcf966aa53642bf075e8c237c083f593e9a8ba31d8f962e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "9bd9bfcf3e5386259b1e87dc76e6d13c7d7c76272356e20cb69d1791e27d305f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "9fd4f43335c4e1709100ea8eb8fe828ce5c5cc643b4332701f68e420384d8169",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "932ee05757e47a1ccc2512e263ef3851b3df6cf9f1f905fd7f6c14ff868e27eb",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "5eeeca2519f2eb668a90c9eb7eb2bcbeb751c83979d5a30d841b6a949c4824fd",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "95c5521a8804043c2ce46dbb6bda769b2546afedd0aaaf60fb19629e49d92b4c",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"92984446-aefb-4d5e-ad12-598042ca80ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "26e50e4711be42832f70f9f3a9cc93026dd0ee356f5ba96a381366ea33c07e9a",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "d06b732a19959ac408573130e7312505731217a17ec0035068bf7769ab026484",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"93075852-b0f5-4b8b-89c3-a226efae5726": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
|
|
"sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "be8fc85ed808400b6e478b16df3cc482bf866a26d0d137005c3a09891f266595",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "be0ae0930b577db016a138130ede4ffee2e566ef18732c03f19e42c7b8f02182",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "5915a9af341960e1ca6dfa9e21e82cf8e4195f36b9a086b3aaa4455fc7501404",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "db6b76e9a6c301a4f03c90e797b1cd301c48fd21c9690db929cacaf7f44bfbdc",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "abac1d11e7f877d853154961ee8ec3fde31af1d1f9901a3a5e5d22a9242daa22",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"9510add4-3392-11ed-bd01-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "7a073636a8c2986dc7aff0fe54e8dbb20a5b5e5c5db19c2607aa5d1c73f00a72",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"959a7353-1129-4aa7-9084-30746b256a70": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "5290a21ce82c80c1c37b7d9e1f8cdddb44b22b0de1bb721928355e6338583e5f",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
|
|
"sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "70da697a2d795b80c7a619e9095e3ff375589369d8dda1c3ccadfc5223074306",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"96d11d31-9a79-480f-8401-da28b194608f": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
|
|
"sha256": "ee09a6f0c9715a320cac11338ab3b5c40d58d783470254b2288e5353dd8d2569",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to Keychain Credentials Directories",
|
|
"sha256": "f5a924e4073b4f7debe163a2dcbec38d0270cebdbb6385e6e71552ea0be7cf92",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "0cd5c0bc7910d590183a34269f1482a68cc7c267f915cdd7cdb8c11894ee3d6d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"97314185-2568-4561-ae81-f3e480e5e695": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"979729e7-0c52-4c4c-b71e-88103304a79f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS SAML Activity",
|
|
"sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
|
|
"sha256": "ce61da7843e233c6b841bad1e6cdd3c1a763926ccd667356d2197bbe18256022",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "99058c561b3030c58e40456e1de1c940c35c3ffd89c81729e82054ffd91d5f62",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
|
|
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Renaming of ESXI Files",
|
|
"sha256": "5c9f9ccf50a5f760e5abbc35b0c30a8fccd38fb8ccf2a92b104fc4555265fe4c",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"97fc44d3-8dae-4019-ae83-298c3015600f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "08f158f696c1ad30a048f41e0fe2528ee7c7cf0a0190972f42a4b09f2e4f85ba",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
|
|
"sha256": "a1197c00ba4334f0b61b5d4d3d8a5295997d4ea0558e29bae8140f3a5043e319",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "6306143790d8722aa16246c98c608a9cd232df0e1686f9a92e6cd306e8ee7676",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MacOS Installer Package Spawns Network Event",
|
|
"sha256": "e91c5d0c1e37dc56aa9b7359f8d0aaa2b3622d6ce958024fb4e23b73af5a5b98",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9960432d-9b26-409f-972b-839a959e79e2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "319a1b5798912ce1e22d4274ab5e8a263444ca31289a600b07ecb0039fdbcd21",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "8c02160e083a13d6519e4b952e3d3890879d81fb7b014cd29461f8c5e1e5dee4",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "96dd345dd9049c6da3264d6610314a092cfb79e65182d8d163815c1889ba3314",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "a8bd97244305d66f46e2f2c18820be193c34162cb7ce82b4dd05fa0d4c333ac1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "83dbb7279a23df54d29943b065241fb5b9c8ca10008fc9fd22591c9c6c7d5dfa",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "efa5d04eb0de4d766926df7a31de77239d0fe74d8d059685ed95d91d6580e5c6",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "848ca4b6973aab7d825fc19df47d9fad8b6b5a0b049c78536b852c6fa97975d2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Logon followed by Scheduled Task Creation",
|
|
"sha256": "4e0993f31425ff82fe3e63aadcaf70f37978105fffef6e3988effbe42e8e2e2f",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "ed935a77f2c6a9c2c7e39d20df0e6d7b6af77d296ae7e7749807ca3bef0cf8bf",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "2bfd31d99b630ca0c9c984f354c3ab5a7fea76166df7fa55940732ac50d49cd8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "9f81fca217e8a1b0e0423550fcd903530b9f3345da2788c603d0268784a9a883",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "92ccb98a5670a616a2ba3f1466609fe634d27e2d76acab79f2f6871a7b9e17e7",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "766827804d77a517bc30bfb691d5726197e710212516dfd4fb2f0e24f6282b6e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "160c6f76131fbeb8894494c0e1d9275d28b6f0eac2353ff8b83c4f7b53e49f99",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "776c171ad88eb90cf08b8fe5b55c1f9f0303df9c61b6c977aa899c710d7f8348",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "327e19dd65541bc98279099df7ba1960cf71e33c80526dc8e9663198074f242e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "9bc99177ea23ad302bd0e299315a14e71b201307e7927a048b06f6c18a51b574",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "923544db5daaad9039515107320de465fca70491130f15c05447e19a7a2a3c71",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "60885e35680729b0826da21cfc7c3d4599b6ab61362720129f02c36ca9f8954b",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "35422cb8142edd3b668f2f8d0354935afc86ffd1c9b10db99222d60f3641994f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 204,
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe",
|
|
"type": "query",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
|
|
"sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was updated",
|
|
"sha256": "2c9704e304d8d996f137257b6854e679631bcfa0dd302aca47f47cedd91892e7",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "7a0b86662b957d2a96a20c87d3e2708153362972784186032e5c5ea8de6cabea",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "6b036be970d1ee6d68567c6160d421fdedda2d8ed4998a63ad6d0d720e619b15",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "2a6a370e108c2703a6ecd9df127d8c0f1b6d7306fa6cc25b5c364095b1395a63",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "091b228e76fee62a401548b353eaad1d1a10af237031b251a54f08efdb6ffd51",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
|
|
"min_stack_version": "8.7",
|
|
"rule_name": "My First Rule",
|
|
"sha256": "43d6a8a026423a6d83ae7d5ef0bed2a9cdf07d16f2c3c2f778c6634a42c06617",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "178b7fe58e8100b46195999990aa071229425ffde84c24120c53538a5fb12d38",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux Group Creation",
|
|
"sha256": "7fa8d7d237898593130f65bdc631264a4ba943edb6d9242a63688ce574a50f26",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "acd13f78b6d2f6ba2349c203bd47d2d9af049fe0335f55b805cd28c453cfa6d5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Mailbox Collection Script",
|
|
"sha256": "c26cd675ef7730a95a52e92c7f5bc7144cda7fb9f14144470c96dfe93b036da2",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "70ecd7b06628c17497b766b9473fcf76cba8a737cf13c6c34624431a8a90ecfb",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "33fccd60667ae352a14cfcffba24c3c8dde8f3ea9005e6dc2d57b6b869b8680f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"a52a9439-d52c-401c-be37-2785235c6547": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Netcat Listener Established Inside A Container",
|
|
"sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel Windows Registry Indicator Match",
|
|
"sha256": "fe05b92e545feacda99be03b6b1ab46515960b4b036aa17ceee42ed0dad7ddb6",
|
|
"type": "threat_match",
|
|
"version": 1
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "a61ba5ac15a7a34d76f0694e62edf5ec726aeaf9d41152bc4f58b76a6c025cc9",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "1befbc897e0e93dd4cd2b4572b70e016aed45e4d2353722baa628e4f5551e729",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler SPL File Created",
|
|
"sha256": "d4511204fcde1b9c77011f1d39c04998944256838e038bbc9aa1918f237c06e9",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "62a1f8bacf99e84bc1435ac4f9d97d78d87fe524c2df378ff15289ca9674abdc",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Malicious File Downloaded from Google Drive",
|
|
"sha256": "9e184df192757ad8e29a2cae60356352e84d9601bba380c446bbc4b64deb76c0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "8d7c7f98ba23485e3a0686eddf2c1bd9788712bdecf05662d48f021ce0c290cf",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "c3e5eae52e4a73dfc2fcf875535ac962d131df93db2a0cb84aac70db93a44523",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"aa895aea-b69c-4411-b110-8d7599634b30": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "2b982735ac747391a87582e7358450ae3c8a166cf6839c8f031527bb665ff38a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "bd0ca2d04964ce7d36b017a81d9d9967a362419827fa1d636cffd34764f0f18c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"aab184d3-72b3-4639-b242-6597c99d8bca": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel Hash Indicator Match",
|
|
"sha256": "4f390dcdd339c913372bca00e6696497b9acd06355bc44ee247529083cf431d1",
|
|
"type": "threat_match",
|
|
"version": 1
|
|
},
|
|
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "cf5af76991154894d922ba6ffa39d785602235b54fef9525b0bc0add45e02a14",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "d461726231316e18ca3ebe2e565bbe81bfa74b8f2842bfa37baa5bfd88956019",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "59fe81064044ce31c2329e951ec2aa956d31b78811ad74796cc9ef72fcea765a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "06e4f5a8ec8cb7a2b8858d6cb70c0e9cb5731e014040a21021bdfcbb0b4d8554",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "8048726368b5e9a135e78b0b8bbb88536d5eae51ba31356d5c37d38043a7caf9",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "97beb0996e664075d6702369fd69d1ecd9b94f7d1bcbb93b2d51e49ebbe397b9",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "9404ed32a3b7bbaabd344fa0b74d2d1e6099802fa51fb9775f5553160e7e9413",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential macOS SSH Brute Force Detected",
|
|
"sha256": "518182f871882fe226678248754e37e05df15b9a5168c5308be76e589e25137b",
|
|
"type": "threshold",
|
|
"version": 104
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "5d2572a424295a08c2ab52f62a82a19fad5895f6e570e2d58822b96aed9d5ef8",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "b154a1563dfafd9602e3c33dda6d0d75a294b8547da34bea70512edfeae98e01",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "908f3060b0c4846a176cfe5ad9f2187c6bf23b09a3fe9833680c524f1b6ff701",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "f69eb78448545394ec26a0632ed3291352df485a97d45763c2eb69d210c89b59",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Transfer or Listener Established via Netcat",
|
|
"sha256": "f016897ba2db321cef7d3dd7a04703e0ecfa7dd6845b70484504dc29cf4cfac0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "f2a82884f798189f2b7b13da01d487add27ee226475c02e62848b604ce71fc58",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
|
|
"sha256": "f706ae26f9260495a126a7f40d212be6abce91fe0ba59eb0ada7ce78056a69b7",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "be5c9bb6ce37cc7d979aca87b55d0cf6a55462ec42338c92ac79c5fd3cbdb682",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b0046934-486e-462f-9487-0d4cf9e429c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "7757914030ef50d43c7b015eacb89ebffe2d36360668ecd571358e6fdf0cc7b0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b00bcd89-000c-4425-b94c-716ef67762f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "61165ead091bce84cf4585396d856b4d9c0d33f6ba69887084aade1a8123dd3f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "e6bccc4707cecd93cbea5fa7a1d76c45b5757e6c2284487d3948d0a9e6b67ef2",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "8052f1ae7b554af8785295238ac7e83f6d491cf16ae9b4c506588f0159cb2950",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b2951150-658f-4a60-832f-a00d1e6c6745": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "d74daedaf980a6db5c128f235052eaa9315e0fc5de599d36d3941f8f41f8b44a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "b728e744228a9807d89df4db5273d33d72adc8b92bb60d0f39ed92959c45bc11",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "743cf5c8d5e18e85119a328a3b41621ac9e4574a645c549a14ce2e8644b5ee02",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "2c51670dc0fc893d4705fd16ade5d720011b67e8acf121355e8c0b2c79757139",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"b4449455-f986-4b5a-82ed-e36b129331f7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "92fc231149fc7d4ce3d720c8397135d8327569c535622925a4de903196eb99aa",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b45ab1d2-712f-4f01-a751-df3826969807": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "dcef856fc4609308fb75802ad54b45751b0923372b154f746734365e2b759529",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "653a400835b17f11ba20865c79826db118091ff04a9ef8f9b494de4079286c1e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "25235a9736b4ecdf954cc17487470170ea687aaa1d661b64ab18a48d1502c838",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "b7aa857260502cd30f5f4c65ccbd873479e0bfcdac74dfd364e78fb9a5f9678f",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b64b183e-1a76-422d-9179-7b389513e74d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "5be6829e0ae6bd00d4229a15529583178ed916cf163f50369dad48b549593adf",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "a45a95b74cf69dd8b6c052a07173b15fb581b4864779f6409272fe8aa000dbd7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b8386923-b02c-4b94-986a-d223d9b01f88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Invoke-NinjaCopy script",
|
|
"sha256": "2d2b220aafc6a9ee7202ab83157a1b5820c801f7ccd2fe02f4615aa8081dd0e2",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "3ad5b888f364f3db5865ba11e56e472f2239817a4873da91d0def5e40be3dca5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "ec002abd39c4afba7981ebb6048851084801aa94958cf9989f45cc7098c3c7a0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "e6bf0d2f429fbd0e4222a52cc4c09a5959dec36b21344bc1420057e201499246",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "7409022ed873888e3837126b2a4d3fd6cf87c2f90b31a796c97f198df51975d1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
|
|
"sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c",
|
|
"type": "threshold",
|
|
"version": 4
|
|
},
|
|
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "50ce20970c0225897cbd6278da8c53629372100b61e456082a1018b045d9d8c3",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "a5f0186af2fd0c04b6ceabeb55795c5808e76a430f40c1c79bf44cc09f418584",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b9960fef-82c6-4816-befa-44745030e917": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "9f041e9b17fbf8021d1a8e0cc63fe6718e953ea7a52731666bed3cafde74f75c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "334c93c0d659846c309268d01cf4ddc81f7163dd30a7595918b64233bb9d346c",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "3d6fb6e4995004177715c69ff85197f747babea28f1e6317c2bf675eccce872b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bbd1a775-8267-41fa-9232-20e5582596ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "41d271a7a3e18ee8bdec67895870a01f5bc3f8801a58b29bcba5ba615179f139",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bc1eeacf-2972-434f-b782-3a532b100d67": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "209e98af2a66034562503985dd9af54a15e088e40160fd27010d3afb22557436",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Non-Standard Port SSH connection",
|
|
"sha256": "cc0969499f426070cb5671979fcc404bac364c8861bdf2d623a13807b0339413",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bd2c86a0-8b61-4457-ab38-96943984e889": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "7379b80a57635f1cb89fabaaf44c587f4540341f1907d9dd775f1f0097fdea42",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "70ca7b29a3e5476f544c054cb6be552330e1d973ebbd77d674507ebc0dedcea5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"bdcf646b-08d4-492c-870a-6c04e3700034": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "9788f2c111d4f8b2f3e0fe64bf7ae3413c3de45f8b030b8611720aac8b263436",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "729d0326dfdddf0823b549fb9dbf8c5a472322ca0145881c75f6ea3eb9f6d061",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Snapshot Restored",
|
|
"sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "6bb5a10732152506d86df3c43cf30d8e3f6698d13860c82c5864203686602712",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "6760ae2009b5b1af65ce91cc34109def0642787b6bab3fba82ecc9b61aa6e367",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "15bf015d0c430618cf1bae974049f5b7490200fb951e99546779e4e088b08364",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "f02b1ea97087aa0c75d168aafd1e53a360542cea5e0cebd4afb31782da226cbd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Renaming of ESXI index.html File",
|
|
"sha256": "054b3d081485e8392d43eeb49d43a0059e44f6443fd62f6023827ad5016dd02d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"c1812764-0788-470f-8e74-eb4a14d47573": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "a46adfcb88a1feefa1fa01282ad651ad63a482285fab18a2c9088577ec24f8ee",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "1db90461bca9b6a4bb48ed3dc9a1c804c93dd6e51ed2b5d295527786bd6f70f1",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"c292fa52-4115-408a-b897-e14f684b3cb7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "de2cec5d636841a8be769737f786b08014a2483dc2ee1084b28500e5a582bba1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "b950e475df69f1b30d37185ff33eb65d837cf4e7bd8c820d79dc27762d2ce272",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "a4c5424046eadd416d5c7852d917b60abbeedce771b7e1ffd2bc0bbbb6649b0e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "3ecf6fde8f1dd54675b805124d6c5a3482354d2124bb9084a27f626b7996ec82",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "30fd771c4c3580a3638be0c6aabdc48e61038f9e9144161b24170fcc813b4b74",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "48d850254f533120a7df9091a296001d794d5154d4749a4a65cf4565ee727ec9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "d94b333f13b883478ac6a57c3a3fed46a6a46559fd39a7d4c88672c7839ffc3a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c57f8579-e2a5-4804-847f-f2732edc5156": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "9e9ec1d553f13b604d6b3caa7ad2b4dd18af1222d2cb33c9c8f72d4ef244052a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "cb3a027cc825279d6ff1f31d31e63c3ce7ddce596ef2f0427bba0b3ffeb643f6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "228b038a26e5acfe96bd90831e77ab27f69fe8e605213a668eda442a0987c94d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "edca8741f4c883f144567d28c03ca527c89064a0e3bc0c519fb55dc8cb3499b8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "e1b09ce9bb8bcef73ecb91ac0b323ad1047ee6a9355870f725b80c477546e542",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c749e367-a069-4a73-b1f2-43a3798153ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "c2e4831483d7fbd4fb36b258d3777da2532859e88f23d7e5d11bcae9d322b5c7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c7894234-7814-44c2-92a9-f7d851ea246a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "4c28438479a0b5730f87834e3dfad68cba8dcf4b62b4d7c383034bc8196c8941",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "c36b22463e66e69ad7dbd01c7e79c4adb82bf1f6ca122c7a45c071c4029f298b",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "f71be07fb14c369b38ffddfe6aa62a28e2142723cf4e64c0376c915405c48d8a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "5cf42078ef7da2f8b0fcf78ba7aa6e240834dfdd20b8ca8c26de2e6eb355c28d",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "fc9f92e3062643cfe2d6a12aefa7cad36930e548cffc6186fac29a72e06d84df",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "9313c69af7bdf578830bda07157d8323ff6cc4b6897b3e7b97ccf72b0a077a2b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "bc60751bab9a15008f8b8c235c2db2812ee6669c00f06fe6ed51dff1fdb2808c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "e1bbc8967fc4f7d52fe7b0c634dd21c2dae5a7862c0451f4f5e8b4235ec64568",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "77b22c4f50e00826c280cf0208fbaf663c53a5e94fdc0109752b095f31f9e2a7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Ransomware Note Creation Detected",
|
|
"sha256": "c6d72fb392daa85873c96a647cbfa1b511bdddefb7c25e62a6064cc1ddcbd775",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "f4980fbd2578fb7fcdee45b3b4c56a8bd7b938745b00046d8a0a17e80ef19714",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "36627195b2bc65f2df0890f67f38997361341df0bcfec1e72aa09017ea6335b9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "91b2db5824ba03638ae1b10d6b60a2cb0825c1aa43b80768357bf49d2dee514d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
|
|
"sha256": "cffbc8323cf7fd93783321a77063d154d2379e643d530da75c6301560fb9a61f",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cac91072-d165-11ec-a764-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "773477fde04d636ba32e12c52480ac912e81cc69b6e5fe6612f0a40e65434750",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b",
|
|
"type": "query",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "c0e0bb36805ab2fd34f19a688a345b3cb202af63f0963d23cc46b22ac6206b34",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "ba29107ead9c675376dd24fda3ec04aa0020c69c50cac63aa2be60a2a989d25b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "6fb43436ca90a84271299e05abea10ec8a22e7dcd3c3cbf92380387e86fae9a9",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "b5dec6539208e71c295cf3802759f165f88bac7e0dd47171d7a9e62bb02bd4bc",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "d7fa92ed1490f1e309e84b4fee4dd02e81cd94c8642059107de67e385062259f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "90cd770be4644fc1db139e5c9e4770411c526cd8d75df30f0b929d3c4ed64d67",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "88335df728513fb16235530315da5117d27f7ee647992c00a32aa06fce26e44a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
|
|
"sha256": "e68a5114b65ec2013c3c9b05c99442525ee4713c09c95453602b704b18dad8c6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "a41c8732bd08c228c3a00759ff4069684f1dce5e22c611fd9b3e31a9a2778f72",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cde1bafa-9f01-4f43-a872-605b678968b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "98df6fd154efc45ab066d2a00f9524fa81a66f37d7d36ef5dda6ebe8c0b52ded",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "a3027453de4708b119195af787958c30200915ff15e3ed696ea72928a7cf20b4",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "d72e36349524c074ac047562258cfce46273ee90ce47cd6b4d7bf6583558e37b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "be67c431eddcd379012a52fdceb8e29c7ca50bb81924207dcc0167b059a67853",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Namespace Manipulation Using Unshare",
|
|
"sha256": "95ff6f5a5a451c7c3167286fa0e43531b665f97fbd19eae2caa0612b2c269846",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "2498bd80569bb50038c401a3b9048d441bd5d8a9fcf2b839b8f035538712b52f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "36e4d81f7eb4ef42ecb6e885bf4253cdce3aaebc0f153f2b28a41f82cb2a93ea",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "0c0fc09e95400eff1b0ca2557064d77771d8cc107865be5cd3e0e11f29d8c71f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "c783dca9506ab705c9f88a3c2729370fd10ac1f6bfc74d8497074b67d9226fa3",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "3aea037601a2e4966bbbe2f6724689bfb697a5226cc79a3e951e2ca75cbaf24f",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "9fff9fc73e4f027401f117f31054bc09b40a43e209bcaec1aaf2e527e8d29a9c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "bf9dea3c8f6a9ea2d3b552de604fec21d81125afd5dbdf804d9e7d4cd4311257",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "e8fca5acc4f3a877f0671e7492375042c332c91e9cd6129d2a20c3add084bdde",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "9df5726c33e5f211943877e9e0e8b14808da3dbbad2ffdaa342cd2e3b434bb82",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "62cdc5b679e00073fbf859cf30717b7aa0e1a252808d8f6e1e1332ad62bb3249",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "6fb7e7e332ba7754f07850c5006b8edf7823b8babdbc83c60305faf47f7e7b62",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "9f12bbc1cb7c137572e45d35b8ae7a8a32c0e891f3666f717598cf5e9bb1b2f6",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "56fc2ab7f022815de735189fb87503086faec3468f297f74be60d2d3ccf610ce",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "03b191ecef329ec861a3f747cf9d0046f70c3c91000bff6e22ad0d190f8bbdad",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "22f4855a8b0e109886773b0ab60f676b06b9f85f8b3942fd62b79fa998f7471e",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "44072cf7c1f20e90e72ec90b43418d1ae4535fd6acbc5ddfdeb17f2f9daf9b42",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "346cc434526ad0dc7188a5077b3493b8499b644cfa218fe758d584d9f9e9074a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "1192928fed5b71e578f0f6e83d8dc596b2e03974cd8586966d77e4147ee2bf9e",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "f6a24375bbef4ce0535113d9f6bc5ab056ac443b611d94c64ade69e1ba423377",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Untrusted Driver Loaded",
|
|
"sha256": "2fa3b976293e6f4e304535804fc5ad5a9b3b3db9ca62143d76d412d4cd48bde8",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "c59d439bf80fbd62af18af25b01eada281c51443bce2351b2f45afa0f219f797",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "b85fcdb3f79216537bf1458e5cd1d7f69614f0f71dd14d6bf685689fb3387445",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Service was Installed in the System",
|
|
"sha256": "5efb26e2d2ec42884669c1bb7a75c13a7cd1f715a01e5791488eb2adfc2cceed",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
|
|
"sha256": "297e315306142cee4a09811f704f80247b099304aaedca726a6b155b0a285b02",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "7d80f28d96cb19ac5d711ff3821272b449cadc05125b80fed15e1810e7a5fd18",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "2f96b5a3c80cb7302384f5ad110eb5b90940fd4f578994b45253302d52e07936",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
|
|
"type": "threat_match",
|
|
"version": 100
|
|
},
|
|
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Hidden Process via Mount Hidepid",
|
|
"sha256": "32e5d329833aeceda4a28086f63db19a8cbd4bf12e6c8f58170c336adba27f47",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "61a56e3f002c13b691eb8a4d3e676025740392dac5b6394f1e32c55d82504d12",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "dfc13fdb33fda8b62b49e2cabd5b92c3095bd47c29d19053c7d65cd76fe0492c",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "b954edff8716a829bbcfb8ea256f2d5f392a10692219826c98ce7b0a997365ba",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "6d7dbb30f64226e1c477bbef3dfa86df372f931f16c7c3cf4177fbfffa1cd342",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "d9cd1d4940d6751e4a2e258286c9817f862911d60ce5c4bd9aa3ff7b4c0b05fb",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "2fa58beb5aa0c93ed53ea2a3fbedf9cd7a2d28cf0ef44434be59fa4cd00b3f60",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "First Time Seen Driver Loaded",
|
|
"sha256": "e1850f1de35fc0bf01a64f6369de0ac88966fb7de5cf8d76cc40ee74e3b233a3",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "83a4ad876ab5b1216af0286368f342b23e37d16b4e500845f822998e45653ebe",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "1c8917157c0a12371a8fac9b240b8a8d4de389f6e24cbe1c5f441bfd295c0f80",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "1f4c0ae9dd783f3b83ac46047885d443bd3d578a6f76c1eb3211780b7b2e3876",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "0cb624873a820339db88e27f6c934f951767b06b5fa612ba655162ddac81044c",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Service Discovery through built-in Windows Utilities",
|
|
"sha256": "30b43ce003bcfe00acfa83c3554527e306887d6b8829730f4711078d0ca9eb15",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "b6f0efabd99716c5dfb66c558248db57ca6bc4346b025162252b6d2d4b812240",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"min_stack_version": "7.16",
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "2a28b8894af580d2033d6f92cfccc8ee87166ca4f62111bb9530a383a2d139b4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e2258f48-ba75-4248-951b-7c885edf18c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Mining Process Creation Event",
|
|
"sha256": "bef6f6bf7ed759ac36e3310b8b9514e8a51fa870287d780da54d57e603d6c626",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Successful Logon Events from a Source IP",
|
|
"sha256": "25564ff00ef70efbfb00200f066dc8aa3de97ef74f1577a17bae32a388e8ace3",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "efaf9ba8ad7ff02dda0a2a3df059a2dba7883142a8726c6c1646fa3b68eeccd1",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "0cad46f14f7e04919fb567f72588b2333aaddbd906c2b26b2efc231469f516bf",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "d4b32c1aa1a7cdd50177f852352b6147c0bb3cc6ee0ea3d5d4367fa923f32f5b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "a3eeba9808f132664a72bb9e332547a6b8dbc90e518f5d639978062ce074653f",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"e3c27562-709a-42bd-82f2-3ed926cced19": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "c3d5155da5baae86f8ea73fe2f45b44e3012406d9fc61cd2169142c81be06631",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "1d8fbea05cf9bfdfc4b87a7f952139314e16086435879cf7915208a0c2f2ecef",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "5f49e89f504715fe1cba731e8ae1d6f883b041e3e58b5baf6a46ad13c911835b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "ba662b1194bf9f4b47c12bfbbb4996593137acbde534f431a4219b3c5e46147e",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "f58e148fb90ab12de044fc7afa0a2778b71ecd8643082310872048c0960b54d4",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "7f6ff70bb01620c9324c6ce0743e205ea091501a7016e8bb65790760e3def99d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "aac4b1275744c5a1fe3d0445c9f3b4ae84e05de109b4efdb9d345686552e83fe",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "7d1e6bcb45ff23e9e8cd012485a31ac59e652ebf7047896172ac71beb689f78a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e7075e8d-a966-458e-a183-85cd331af255": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "c0e04ce1aa8f8652c9593631d1a9692ea6c265ee388e504ccc1d3c225ad62272",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "2d819160686b4dfc1941accb589fd0938e37c0ef216edadc9d94c351b612010a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Credential Dumping via Unshadow",
|
|
"sha256": "0097165a0376ec51018928535107bd47c625c71f6d811e7798d6454e630959e6",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e7cd5982-17c8-4959-874c-633acde7d426": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route Table Modified or Deleted",
|
|
"sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "b9ae74fc807ffc8fce266a1f8c095a0887e594a44c0e61dc8839c448a0a6a17b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "1bf151116d4b2bc3ccc7951936a59d68d4b8669432206c00e14304c8e1415150",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
|
"sha256": "30ecd8e373787ea5c52b236e4ed93a887c090fe39055bf6bc728cfbc4df05cba",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "461c3f71870bbfa62c1a74b888409aee26922533e3a2c97feebb9e8a7a051a2b",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "c04a3b177fa635e5073e1777229cf87cc812c0aca116dc0fb5278fe9b4103c5c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "0e8169011982ee7609a677aafc69532dc6d9a4330676dfe37707d6f051f77c94",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80",
|
|
"type": "threshold",
|
|
"version": 106
|
|
},
|
|
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "083a8ad280b799c399d7821f2f4e606ac4a020dbe66a2d90b03779ddda9e0ac4",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "External Alerts",
|
|
"sha256": "987ec9abd74221c9ba9d74c421bc291c1a711da2030aac49cf842693483d9849",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "b09591ece328dd29ed60845821b59f2b96d138e54141956653823147a860be54",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "ce171e10dd4f2e9f29d53f86a45ef18f13d60934ea0b9dfab548e7e78bdb4327",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "5b24a50476c732ec6b371dad3170cad81c5aa1c731a55c68760d81b86a61b9e9",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "ee443de66e8ce5e18a5a6ffd0fe8f851b831366de4650d6d871c43f5f8a6d338",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "5e7cb98d3206bb2c2de6b1e2342323f2872bce4e3fb01683c81648cb365b45b1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "4f5246aada46e95bdd9fed86ca0d16acd2974d578418af67875271c309deec2a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ec604672-bed9-43e1-8871-cf591c052550": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "File Made Executable via Chmod Inside A Container",
|
|
"sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "f4e71dc526006da4bac3c997b139ec814a7ee28bd2f9a180dcdf72accc5e7b85",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "8918983eb9b6562f7e4d777bac27a169d9d8a49fcb0c3d686a12c217aafe43c0",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "22a83d83075e8a7c7d03073abac96e611e683a27e786b7302d85b963bd60eca3",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux User Account Creation",
|
|
"sha256": "107da0106c3f254f127dbe0e2e7a48f94e25c304441895a7e33dff2c4399bad4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "2354a55212329efb9a516c9174288f3e0b64ad13792b723bb28d57651cbd5d0c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"eea82229-b002-470e-a9e1-00be38b14d32": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "99dac24a22a39ea3be5c736dcc12cc76b1c987fdae7e573526777dcad95277f4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "e324fbce926ee2c09462c343fc2dfac12ea68d40006d9f7a6691abcaf792dcf8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
|
|
"sha256": "b7a016a12f5e3c2e210d36424564a200cae8b1effa73daf7fabf056d9f4fe732",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "07c4a16cbb0ffc5b61004a6277d767c457afcc3013ba98d0b8d490439350cc98",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "6c802906ba9f964ce774dfa67a8c3d6010d1006704d7fc403537bdf9f0dd6297",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "1e5bef65027af0a05f3de482643acc583716953c5c99bf4896ce11051852964d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Remove File Quarantine Attribute",
|
|
"sha256": "fcf72e0783c3adf9aafc478284e0eba0dab0551c0715760478495a33c7dfecfc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f0bc081a-2346-4744-a6a4-81514817e888": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "069592795fe832ea7f6dfe549a1fa247bd908178024ee419b20fcb7c1f7f6968",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Code Execution via Web Server",
|
|
"sha256": "e1933ad28988253512b9a5ee5533353cc8f7fae5f6f733e7c3407bb7be61043a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Forwarded Google Workspace Security Alert",
|
|
"sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "3336e870dbf93421b43a64f9b8c49cadad5f601538631b20e82f9049e196fc73",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f28e2be4-6eca-4349-bdd9-381573730c22": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "84cb2e4e1720959039508304ff67cfdee0c1a51db94272d7d25d0db239a4b426",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "b6d059b41ec3c351e24a6792aad79cbc08783ae813d7805711b61488eac3fa3d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "f7fcb2f0df25ddd194a087a817b5a6e48d66536798ceb70722f5136cf4ba1e45",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
|
|
"sha256": "4c7e78b131d1198b5114a869eb0b7caafc11536152cd2368abfdd62ff264472f",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f3475224-b179-4f78-8877-c2bd64c26b88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "2cc5999ea9bca1224596aa743a6061b9a66467314d2e17783d03f46fc9ebeb4a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "79fde8d4adcaaaa7ac191b37765c599413cd54d37497553e7e8e735f18aac24d",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel URL Indicator Match",
|
|
"sha256": "409d3bc12f5c23dad57929d503220d7e70fddea5af0fedaa5a7fa71f14096d4e",
|
|
"type": "threat_match",
|
|
"version": 1
|
|
},
|
|
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "9025912a22ca77063fc7dd8f0843ac667190f2191588cf9bbce1909e2d83a248",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "58fd8199f7eaa97b77809fbe7b9b19e44632eef4618a3a85d269f4c10fc65dda",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "e7dc6fb96282c96c61bb1290e6e68d0cfd0e5cd0fd30eeeaec670b79c3041ee5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Connection Established Inside A Running Container",
|
|
"sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Masquerading Space After Filename",
|
|
"sha256": "e59551f8663381e3baeba7dd42447256e5d15c271552d6f3c15755eda537742a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "133e8e211c98abb7775d5ef2a264fcda19a436423e9ae8c878966f5ba362de62",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "a3dfc02fcce81d2343d3560d8caea2b824651441f863cce2ef98a6c0d5a905e4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "a3deb286c584007ec6431c3226831128f8c2a3809fb331bb2b178cdb9ef1b569",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Service Principal Credentials Added",
|
|
"sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
|
|
"sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "aedf01dfa1bf8d224d1fccc905243a26c241bbd0e968852f69ca044285fb493c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f81ee52c-297e-46d9-9205-07e66931df26": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "96fcb69c27262eca1aa8dd6c790be15b464ce6c19ce2942806f0f301716e1bc8",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "b39735f9a618bae0e9c20d03324affbfe31fb8687966a1c6f6f08f44c29faf73",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "0ef5e5688380318d8e5b973d62177b1068dd91236911b6404bf671185933e979",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Configuration Discovery",
|
|
"sha256": "496578f1b84ea8549729bfd25e63a4eecb1e9dff49aafcdc6443c19942459476",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"f95972d3-c23b-463b-89a8-796b3f369b49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ingress Transfer via Windows BITS",
|
|
"sha256": "5442a56054357a1ed242e64c168bb93cdaef2d7dab17907b877542e244eb2c4c",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "f5252571a3884a621635498b85bfdf070a396d30be00c83e6336d0c4e91979e7",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "bc06b516f75d028926285aa293b7bf12cdc34c0f4192a04f7a9e258403034b29",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential External Linux SSH Brute Force Detected",
|
|
"sha256": "0a85e5b12d3f9d504e42f5657e237eabe3b1f46221056c4468a09afa97701f11",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"fa488440-04cc-41d7-9279-539387bf2a17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "70f6b702304d14b1e4db662b3b6f9eec193223953e69772dbc78cff2ae73d186",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "bb44b33fa5d5d15163b5cdc51d5f5c127d3022c651aa17333b36cdd0abb0f9d3",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "96fe25fb76a0337fa7f7f585fde5bfe86d03528f33382dab0ec8766b4bc2b762",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "73fc12430790298f2f05319524499777d0c7c2cc255e57e8471446f9af663395",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "e947ee6e113ad0a659652a84faabb40ba343c6bee1fa11acf179c9e4f5c2a4c8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "4a6376d24e1e14905d1096728ea63c281a55893a2cf2573b3ebf4a71a4aab05d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "53e0af24327a2cbab6fcacb09e3f95174eff8fdbbb805d7e44607b32dfa5113e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "eb594f40b846f2e27c3ac05de62f5c78c771164a6d579245e5e4c27990e1c049",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "93c635e72bde1b37f08db8fbaab71b57c830ec8a6d88f9d868cad5cae1d4c602",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
|
|
"sha256": "e08ba3629f77b0f14dbb69c9ff288225c03c60802a7db963793ba77fe92c4383",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
|
|
"min_stack_version": "8.7",
|
|
"rule_name": "LSASS Process Access via Windows API",
|
|
"sha256": "dae356594ee36f82491c4f915e8b4530b0f5d8825f3ef41980ac82e0e9a3b9b3",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
} |